After the malware is downloaded, it hides and regularly checks in with a malicious Twitter account for commands. These instructions direct the Trojan to either download and install additional malicious applications -- mostly data-stealing mobile banking malware -- or to switch to a different C&C Twitter account.

The malicious Twitoor app, which is thought to have been operating for around a month, can't be downloaded through the Google Play store. Researchers therefore suspect that it's spread via text messages or malicious URLs, impersonating a messaging application or a porn player in order to trick users into downloading the malware.

Device-enslaving botnets are favored by cybercriminals. However, a botnet sending instructions from a single server farm is potentially detectable, as in the right hands information about those servers can be used to track down the perpetrators and eventually shut the botnet down.

That weakness makes the Twitoor Android botnet more resilient than an average botnet, as the command-and-control operations can continually be switched from one Twitter account to another in order to evade detection. Those behind the malware have also taken additional steps to safeguard Twitoor, including encrypting messages to further obfuscate their activities.

"These communication channels are hard to discover and even harder to block entirely. On the other hand, it's extremely easy for the crooks to redirect communications to another freshly created account," says Štefanko.

While botnets aren't a new threat -- on Windows, Linux or Android devices -- the nature of Twitoor represents an evolution in how such networks are run. ESET researchers suggest the technique could even be used to distribute ransomware.

"Twitoor serves as another example of how cybercriminals keep on innovating their business," says Štefanko.

You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.

You agree to receive updates, alerts, and promotions from the CBS family of companies - including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time.

By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.